2022 Bug Bounty Year-in-Review

In late 2021, I was inspired by some of the other bug bounty hunters out there to track my progress throughout the year. I have wrapped up testing for this year and am detailing my experience with this post. I treated testing this year as an experiment to see how viable bug bounty might be as a career, what the upsides of that would be, what the downsides of that might be, and also just to learn more as I went.

Based on data from HackerOne in 2019, of the about 700,000 registered bug bounty hunters, 1% made over 35,000 (USD), and 50 made over $100,000. Outside of a few of HackerOne's past reports, there isn't a lot of great data about how many people are making a living on bug bounty but based on what data we do have, it probably isn't many. *Disclaimer* Because many bug bounty programs are paid out in USD or Euros, those who live in a country where the exchange rate is in their favor, could make a great living doing bug bounty, even with minimal success.

Breaking Down My Year

I spent a total of 264 hours hunting bugs across 8 months. I took a 4-month break during the summer so I have excluded those 4 months in my calculations below. This results in an average of 26.4 hours or about 3 work days (8 hours) a month.

I earned a total of $21,415 from bug bounty rewards this year. Broken down at an hourly rate that is $81 per hour which isn't a number to balk at. Assuming that I was able to maintain that rate across the entire year and worked 40 hours a week that would result in a "salary" of $168,480/year.

If that all sounds great here are some things to consider:

• You need to withhold about 30% of your earnings for your taxes and will need to pay estimated taxes (in the U.S.).
• You will need to pay for your own benefits, which on average is about $22,000/year.

This would have left me with a theoretical take-home of $95,936.

My Approach

Approaches to bug bounty are well documented. At first, I thought I would go the heavy-automation route. I quickly realized that to be successful with heavy automation takes a big investment of time upfront, results in overhead costs from computing expenses, and takes maintenance, care, and feeding. I quickly abandoned that approach and went to an approach that Tommy DeVoss advised me of early on - manually hunt for high-impact vulns and really learn the operation of your targets to catch what others miss. He may not have said it exactly like that but, that's the gist of it. I found as I talked with other high-dollar earners in bug bounty that they also took this approach. So, automation may be popular but, it seems to me that skills and impact are the kings when it comes to high earnings.

Over my 264 hours I reported the following bounty-earning bugs:

• Access Control Violation - Create Wiki Pages - $522.50 - Medium
• Stored Cross-Site Scripting in MediaWiki - $1090 - High
• Remote Code Execution in .tgz File Upload - $3100 - Critical
• Access Control Violation - Sensitive Data Exposure - $444.50 - Medium
• Access Control Violation - IDOR - $104 - Low
• Ivanti EPM Remote Code Execution - $6500 - Critical (Qty 3)
• Access Control Violation - IDOR - $154 - Low
• Access Control Violation - IDOR Read/Write in Critical Function - $2000 Critical
• Access Control Violation - Business Logic Flaw - $1500 - Critical
• SQL Injection Full Read/Write/RCE - $3000 - Critical
• Out-of-Band XML External Entities - $2500 - Critical
• Business Logic Flaw - MFA Bypass via Mass-Parameter Assignment - $500 - High

Of those 14 vulnerabilities: 8 were critical severity, 2 were high severity, 2 were medium severity, and 2 were low severity. Severity representations: criticals represent 58% of my findings. Highs, mediums, and lows each represented 14% of my findings. 87% of my earnings came from critical severity vulnerabilities which I think reiterates that with my approach; the impact is king for earning decent payouts.

Positives

• Bug bounty is exciting and fun
• Endless opportunities to learn new things
• Nearly endless new and engaging targets for you to look at
• Potentially good money
• Potential to earn exponentially more money as you skill-up
• You work for yourself

Negatives

• Bug bounty can be frustrating between dry patches, and dealing with bad programs (Be selective!)
• Pay rates and payout timelines are inconsistent across programs
• Burnout could be a real issue if you went into this full-time
• Highly competitive field
• You work for yourself (see what I did there?)

Other Considerations and Wrapping Up

If you begin making decent earnings from bug bounty and depending on what country you live in, you'll want to get yourself a CPA. You may even want to set up an LLC to receive payouts. Another thing that I could see becoming extremely important going into bug bounty as a career is that you'd need to become an expert at managing your money to get through dry spells. Money comes in waves for most bug hunters, as evidenced by some of my larger payouts.

The upside to having a 9-5 is that you are consistently and reliably paid, you have benefits, and you (hopefully) have a team of people that are on your side. After conducting this mini-experiment, I can say that bug bounty as a career is a pipe dream but, not a risk I could accept in life.

As for my plans in 2023, I may continue hunting bugs for the breadth of experience but; I don't plan to put very much time into it going forward. I had committed to doing write-ups of my bugs at the beginning of 2022 here in this blog. As you can see by the lack of links after a certain point in my list of bugs, it became too much to keep up with while hunting. However, in 2023 with this experience and that from my career under my belt, I plan to write more and maybe even do some videos. I realized I liked the creative side of this experiment more than the hunting side but, to get the data I needed, I had to stick to hunting. So, stay tuned for 2023 as I plan to overhaul the blog and hopefully become a content-generating machine :)